For years, Google is offering two nice features with his gmail.com platform to gain more power of your email address. You can play with the “+” (plus) sign or “.” (dot) to create more email addresses linked to your primary one. Let’s take an example with John who’s the owner of john.doe@gmail.com. John can share the email address “john.doe+soccer@gmail.com” with his friends playing soccer or “john.doe+security@gmail.com” to register on forums talking about information security. It’s the same with dots. Google just ignore them. So “john.doe@gmail.com” is the same as “john.d.oe@gmail.com”. Many people use the “+” format to optimize the flood of email they receive every day and automatically process it / store it in separate folders. That’s nice but it can also be very useful to discover where an email address is being used.
A few days ago, Troy Hunt, the owner of haveibeenpwned.com service (if you don’t know it yet, just have a look and register!), announced that new massive dumps were in the wild for a total of ~1B passwords! The new dumps are called “Exploit.In” (593M entries) and “Anti Public Combo List” (427M entries). The sources of the leaks are not clear. I grabbed a copy of the data and searched for Google “+” email addresses.
Not surprising, I found +28K unique accounts! I extracted strings after the “+” sign and indexed everything in Splunk:
As you can see, we recognise some known online services:
- xtube (adult content)
- friendster (social network)
- filesavr (file exchange service in the cloud)
- linkedin (social network)
- bioware (gaming platform)
This does not mean that those platforms were breached (ok, LinkedIn was) but it can give some indicators…
Here is a dump of the top identified tags (with more than 3 characters to keep the list useful). You can download the complete CSV here.
Tag | Count |
xtube |
37 |
spam |
18 |
filedropper |
17 |
daz3d |
12 |
bioware |
11 |
friendster |
10 |
savage |
10 |
8 |
|
eharmony |
7 |
filesavr |
6 |
bryce |
5 |
savage2 |
5 |
porn |
4 |
precyl |
4 |
bravenet |
3 |
comicbookdb |
3 |
freebie |
3 |
freebiejeebies |
3 |
freebies |
3 |
hackforums |
3 |
junk |
3 |
kffl |
3 |
social |
3 |
youporn |
3 |
97979797 |
2 |
brice |
2 |
dazstudio |
2 |
detnews |
2 |
eharm |
2 |
free |
2 |
gamigo |
2 |
hack |
2 |
heroesofnewerth |
2 |
itickets |
2 |
lists |
2 |
luther |
2 |
paygr |
2 |
policeauctions |
2 |
test |
2 |
texasmonthly |
2 |
toddy |
2 |
trzy |
2 |
usercash |
2 |
xtube2 |
2 |
I have to add that this ‘+’ Feature is nothing google came up with, other can do that too.
As Herman already wrote: most websites do not comply with the RFC5322 for the format. I always write them a mail to get their server to comply.
Crazy to see how many companies don’t allow +-signs within emailaddresses. :-/
https://twitter.com/Dailybits/status/861902752695406592